What information should be in a bounty brief?

Part of our work at Bugcrowd is to help guide customers in the creation of their bounty brief. We always want to make sure that researchers have the info they need so that they can get testing ASAP.

What information should be in a bounty brief? Is there certain information that can especially help you in your work?

Bonus: What’s the best bounty brief that you’ve ever read? What made it great?

IMO encouraging customers to clearly define how much they are willing to pay per bug is a great start, for example Tesla Motors clearly defined their bounty:

XSS: $200–$500
CSRF: $100–$500
SQL: $500–$10,000
Command injection: $10,000
Business logic issues: $100–$300
Horizontal privilege escalation: $500
Vertical privilege escalation: $500–$10,000
Forceful browsing/Insecure direct object references: $100–$500
Security misconfiguration: Up to $200
Sensitive data exposure: Up to $300

1 Like